In a default installation of Oracle 9iAS, it is possible to access SOAP documentation. These files might be useful for an attacker to determine what application server is being used.

Remove the 'soapdocs' alias from the Oracle 9iAS http.conf: Alias /soapdocs/ $ORACLE_HOME/soap/docs/ Note that the default installation of Oracle 9iAS 1.0.2.2 does not seem to suffer this issue. More information: http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf http://www.cert.org/advisories/CA-2002-08.html Also read: Hackproofing Oracle Application Server from NGSSoftware: available at http://www.nextgenss.com/papers/hpoas.pdf